2022-02-24

Re: Securing Gemini Servers

=> #flightlog

perplexing.space has wise words about securing gemini servers:

In what is bound to be a refreshing break from whining about software I thought I might make a short post on some avenues toward securing gemini servers. There were a few recent instances of path traversal bugs exposing peoples' servers — what are some options for mitigating that sort of risk?

=> gemini://perplexing.space/2022/securing-gemini-servers.gmi | local copy

This made me realize, that my local instance, which is served as an .onion service, is in dire need of care.

logfiles and The Library

So for the first time (no kiddin') I looked at the logs. Is anyone at all requesting these pages? Yes, there is traffic. Turns out that is Stephanes lupa crawler. Nice! lupa is able to crawl .onions. Cool!

=> gemini://gemini.bortzmeyer.org/software/lupa/

However, there are quite a number of NotFound errors logged. Those are originating from links inside those files, which I collected into The Library. Buried deep into a post there is this:

Please note, that any of the in-capsule links within that copy will not work here. But the text at least should be there.

=> /en/2021/20211211-flightlog-10.gmi

But of course, the crawler won't read this, let alone adhere to it. So I created a robots.txt file:

User-agent: *
Disallow: /library
Disallow: /file

While this should cure the the above errors, it entails that the crawler will not see the contents of the library at all. So I would like to have something like a "crawl the files, but ignore the links in them" rule, like

AllowFiles: /library

Obviously, this would be an addition to the companion spec, and most probably it's going to be shot down by the guardians of simplicity. And honestly, I did not see this coming. Which just proofs, that I'm not a network protocol person.

server

Now back to the thing about the server. I use agate, just because it happened to work immediately. I could try to set up the inetd/vger combo, but that is for another day. Yes, my installation was in need of some love:

• create a separate user! NOW!
• move the files to be served below /srv/gemini
• move the certs to be used near there, owned by root and readonly
• change the systemd unit accordingly
• And while I was at it, I added the whole phletora of directives to the unit file as suggested by perplexing space. I did not create a chroot or another container.

So, now I'm feeling better! And it still works!

Thanks to perplexing.space to motivate me to look at it and change it.

Cheers,

~ew

=> the onion capsule | The Library | Home